Application Data
• Contains application specific data of the user
|
|
Location |
Windows Version |
Documents and Settings\Username |
XP |
|
|
Documents and Settings\Username\Local |
XP – Non Roaming |
Settings |
|
|
|
Users\User\AppData |
Vista, 7, 8 |
|
|
Application Data (subfolders)
• Local
• LocalLow
• Roaming
AppData Local
•Application data that does not roam with the user.
•too large to effectively roam
•Machine specific
Appdata LocalLow
•Applications do not meet the security credentials
•Generally do not have write privileges to the user’s profile.
AppData Roaming
• Specific data that roam with the user profile.
SUMMARY
Folder Structure & AppData
•Different versions may have different folder structures
•Default Locations will have artifacts of forensic value
•AppData will contain data specific to the user.
Registry Description
•Registry is like the central nervous system of a human body
•It stores information to be available when needed by Windows, during a system’s operation
•According to Microsoft, Registry is a central hierarchical database of settings
•what kind of information is actually stored there?
•There…. where?
•And is it of forensic interest?
Registry Information
•User Specific Information
•System Specific Information
•Application Specific Information
Registry’s Structure
• Regedit
Key
Subkeys